Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head out of disk space due to HUGE audit and _internaldb DBs

woodcock
Esteemed Legend
‎01-21-2014 09:48 PM

I am out of disk space on my oldest search head because of this:

cd ${SPLUNK_HOME}/var/lib/splunk; du -sh ./* 2> /dev/null | grep G
20G     ./audit
5.6G    ./_internaldb
1.3G    ./summary_forwarders
1.3G    ./summary_hosts
7.1G    ./summary_sources

Is it OK to go into the audit directory and delete the oldest buckets?
What are the "best practices" for managing file space in these always-growing DBs?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-21-2014 11:04 PM

These indexes are not "always growing." They have a maximum size, which you can change. Then when you restart Splunk, it will pare the indexes down to that size. You can set this in indexes.conf, but it is best to do this through the GUI on the indexer(s) if you are unsure. I believe that you will need to restart Splunk after you change this value.

maxTotalDataSizeMB = 500000

Don't just delete buckets. Let Splunk do it.

Although Luke makes a great point, it would be a good idea to look at these indexes and see what's up. The SOS app has a lot of reports based on the _internal and _audit indexes, and most of the built-in reports and dashboards use these indexes as well.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-21-2014 11:04 PM

These indexes are not "always growing." They have a maximum size, which you can change. Then when you restart Splunk, it will pare the indexes down to that size. You can set this in indexes.conf, but it is best to do this through the GUI on the indexer(s) if you are unsure. I believe that you will need to restart Splunk after you change this value.

maxTotalDataSizeMB = 500000

Don't just delete buckets. Let Splunk do it.

Although Luke makes a great point, it would be a good idea to look at these indexes and see what's up. The SOS app has a lot of reports based on the _internal and _audit indexes, and most of the built-in reports and dashboards use these indexes as well.

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-21-2014 09:58 PM

If you're running default settings on internal indexes, then you need to figure out why your deployment has such a large log volume - what messages are filling up the logs?

Reply
Solved! Jump to solution

lguinn2
Legend
‎01-22-2014 02:40 AM

Splunk indexes its own logs - so the indexes contain the current log data, and as much historical log data as will fit in the allotted space. The idea is that you can use Splunk to search Splunk's own logs, just like you can search any other log file!

Don't delete the logs though, because if Splunk were broken, you might need to manually inspect the logs.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-21-2014 10:02 PM

This is not in ${SPLUNK_HOME}/var/log/splunk/ or are you saying that the db space is merely a place to hold old logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...